Related Links

About 96 percent of the federal workforce is using personal identification verification cards as a trusted credential for activities across government, but having a single card for travel and other purchases is probably several years away, according to a leading General Services Administration executive.

Credit card companies are moving toward a chip-enabled smart credit card that is difficult to counterfeit, and this could push the use of the technology on the government PIV card, said Deborah Gallagher, director of the Identity Assurance and Trusted Access Division within GSA’s Office of Governmentwide Policy. The smart card uses both a magnetic strip and an embedded microchip to store the data that is needed to verify the transaction.

Banks are pushing hard for the capabilities because it helps combat the types of security breaches recently seen in retail stores. “But I think it is going to be at least a couple of years,” before the technology is implemented in PIV cards, Gallagher said.

“Our users are not asking for it yet. They are aware of it,” said Paul Grant, strategy advisor for cybersecurity within the Defense Department’s Office of the CIO. “We need to demonstrate that it can be done and get to the people who are managing those millions of purchase and travel cards.”

Grant said the managers should know that they can get out of the business of issuing the cards. They can use the applications on the PIV card, or Common Access Card for DoD users.

Gallagher and Grant spoke on June 11 at a federal cybersecurity seminar presented by Federal Times and C4ISR and Networks, sponsored by DLT Solutions. The two government executives are co-chairs of the Identity Credential and Access Management Subcommittee (ICAM), managed by the Federal CIO Council. ICAM has helped move forward Homeland Security Presidential Directive 12, which requires a common identification standard for all federal employees and contractors.

The focus now is on building a framework for access management and authorization by the end of the year, Gallagher said. The framework can be viewed as an overarching checklist for managers to determine if they have the appropriate levels of assurance for a system and the activities in place to help them determine who is on their networks, Gallagher said. As a result, the framework is tied closely with work on continuous diagnostics mitigation, anti-phishing and privileged users.

Additionally, the GSA will start rolling out physical access systems that adhere to PIV and PIV-Interoperability standards as early as next week. The plan is to roll out the systems in GSA-leased and owned buildings by the end of 2015, Gallagher said.

The federal cybersecurity and identity credential access management story has been evolving for several years and will take a combination of technology, training policies, and acquisition changes to fully unfold, said Van Ristau, chief technology officer of DLT Solutions.

“The biggest problem we have today are complexity of the threat, complexity of the solutions and complexity of the procurement process. It is just a hairball,” Ristau said.

Gallagher noted that GSA has tried to address the complexity of security solutions via interoperability testing to ensure, for example, all of the components of a physical access management system, actually work together. But testing doesn’t solve acquisition problems, which might require a change in acquisition language that includes the need to update systems in the event of changing threats, Gallagher said.